Modifying an Enciphering Scheme a3er Deployment Paul Grubbs, Thomas - PowerPoint PPT Presentation

Modifying an Enciphering Scheme a3er Deployment Paul Grubbs, Thomas Ristenpart, Yuval Yarom

Format-Preserving Encryp<on (FPE) Encryp<on service Client E(CCN) CCN E(CCN) E(CCN) E(CCN)

Format-Preserving Encryp<on (FPE) Encryp<on service Client E(CCN) CCN E(CCN) E(CCN) E(CCN)

Format-Preserving Encryp<on (FPE) This work: Backwards-compa<ble FPE Encryp<on service Client E(CCN) E(CCN) Academic and industry work on FPE: • Tokeniza<on • Cycle walking [BR] • FE1, FE2 construc<ons [BRRS] • Thorp shuffle [MRS] E(CCN) • NIST standard FFX • Support for arbitrary formats [DCRS,LDJRS,LSRJ]

Format-Preserving Encryp<on (FPE) This work: Backwards-compa<ble FPE Encryp<on New encryp<on service service • Includes new features • Decrypts old ciphertexts properly • Not just key rota<on, FPE scheme changes

Example: Upgrading from tokeniza<on Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table) Encryp<on Client service E(CCN) E(CCN) CCN1, 1980-1431-… CCN2, 9886-3456-… CCN3, 8484-1234-… E(CCN)

Example: Upgrading from tokeniza<on Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table) Does not scale well! Prac<<oners want to use modern FPE instead (e.g., FFX) Encryp<on Client service E(CCN) E(CCN) Frequent problem in prac<ce: E(CCN) Old ciphertexts can’t be retrieved & re-encrypted

Example: Upgrading from tokeniza<on Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table) Does not scale well! Prac<<oners want to use modern FPE instead (e.g., FFX) Encryp<on Client Need a backwards-compa<ble FPE: service • New plaintexts encrypted with compact key • Old ciphertexts decrypted using tokeniza<on E(CCN) • Preserve permu<vity E(CCN) Frequent problem in prac<ce: E(CCN) Old ciphertexts can’t be retrieved & re-encrypted

Example: Expanding format Problem: deployed with one format in mind (e.g., just 16 digit CCN’s) but need to support others as well (e.g., also 15 digit CCN’s) Encryp<on Service Client (16-digit CCNs) E(CCN) E(CCN) E(CCN)

Example: Expanding format Problem: deployed with one format in mind (e.g., just 16 digit CCN’s) but need to support others as well (e.g., also 15 digit CCN’s) Encryp<on Service Client Need a backwards-compa<ble FPE: • New plaintexts (15 or 16 digit CCNs) encrypted (15- & 16-digit CCNs) • Old 16-digit ciphertexts can be decrypted E(CCN) • Preserve permu<vity E(CCN) Frequent problem in prac<ce: E(CCN) Old ciphertexts can’t be retrieved & re-encrypted

Our contribu<ons Give generic algorithm (Zig-Zag) for backwards-compa<ble FPE Domain extension Domain comple<on (expanding format example) (tokeniza<on upgrade example) Prove “natural” security “Natural” security is impossible • • Analyze run<me Give new security goal, analyze • •

Domain comple<on (formally) Need a backwards-compa<ble FPE: • New plaintexts encrypted with compact key • Old ciphertexts decrypted using tokeniza<on • Preserve permu<vity An FPE scheme FPE k : D -> D with key K is a permuta<on of D for every K D D Call old FPE (par<al permuta<on) F k* : D ⇀ D and T = Dom(F k* ). T Need new FPE ZZ k’ : D -> D so that ∀ t ∈ T, ZZ k’ (t) = F k* (t) F k* (T) Security goal is Strong Pseudorandom Permuta/on: indis<nguishable from random permuta<on even if adversary knows T

The obvious approach doesn’t work What about simply using a tokeniza<on scheme and a new FPE in parallel? = table Tok[ ] ( F k* ) CCN1, 1980-1431-… CCN2, 9886-3456-… = FFX E with CCN3, 8484-1234-… secret key K Encrypt( (Tok[], K) , M): If M in T then: T Return Tok[M] Else: Return E K (M) Tok[T] This doesn’t define a permuta<on for every (T,K)!

The Zig-Zag Construc<on Uses a form of cycle walking to ``repair’’ permuta<on on colliding points = table Tok[ ] ( F k* ) CCN1, 1980-1431-… CCN2, 9886-3456-… = FFX E with CCN3, 8484-1234-… secret key K Encrypt( (Tok[], K) , M): If M in T then: T Return Tok[M] Else: C = E K (M) Tok[T] while (Tok -1 [C] != null): Return C

The Zig-Zag Construc<on Uses a form of cycle walking to ``repair’’ permuta<on on colliding points = table Tok[ ] ( F k* ) CCN1, 1980-1431-… CCN2, 9886-3456-… = FFX E with CCN3, 8484-1234-… secret key K Encrypt( (Tok[], K) , M): If M in T then: T Return Tok[M] Else: C = E K (M) Tok[T] while (Tok -1 [C] != null): M’ = Tok -1 [C] C = E K (M’) Return C

Zig-Zag analysis Theorem (informal): If |T| <= |D|/2, the Zig-Zag algorithm runs in amor<zed constant <me, except with negligible probability Key intui<on: With random permuta<ons, can use hypergeometric tail bound to upper-bound drawing many collisions in a row. Theorem (informal): The Zig-Zag algorithm is as secure as the underlying permuta<ons (E) even if the adversary knows T

Domain extension (formally) Need a backwards-compa<ble FPE: • New plaintexts (15 or 16 digit CCNs) encrypted • Old 16-digit ciphertexts can be decrypted • Preserve permu<vity M M Call old FPE (par<al permuta<on) F k* : D ⇀ D, T = Dom(F k* ), T and new domain M (D ⊆ M). Need FPE ZZ k’ : M -> M so that ∀ t ∈ T, ZZ k’ (t) = F k* (t) F k* (T) D D

Zig-Zag works for domain extension = Old secret key K* for F k* : D -> D = FFX secret key K for E k : M -> M M M Encrypt( (K*, K) , M): If M in T then: T Return F k* (M) Else: F k* (T) C = E K (M) while (F k* -1 (C) ∈ T): D D C = E K (F k* -1 (C)) return C

Zig-Zag works for domain extension = Old secret key K* for F k* : D -> D What security does this achieve? = FFX secret key K for E k : M -> M M M Encrypt( (K*, K) , M): If M in T then: T Return F k* (M) Else: F k* (T) C = E K (M) while (F k* -1 (C) ∈ T): D D C = E K (F k* -1 (C)) return C

SPRP security is impossible When adversary knows T={t 1 …t |T| }, there is a trivial dis<nguisher for any DE cipher Advantage = 1 - |D|!(|M|-q)! for i in [1 … q]: |M|!(|D|-q)! if ZZ k’ (t i ) ∉ D: return “ideal” M M return “real” Key intui<on: Unlikely for random T permuta<on that all queries fall in D. F k* (T) D D Can we prove any meaningful security?

Can we achieve any meaningful security? Weaken SPRP security no<on, target indis<nguishability from different ideal object “Strong extended pseudorandom permuta/on”

SEPRP security A permuta<on is an SEPRP if indis<nguishable from permuta<on sampled uniformly subject to ∀ t ∈ T, ZZ k’ (t) = F k* (t) Theorem (informal): Zig-Zag is an SEPRP. Theorem (informal): SEPRP gives at most a factor-of-2 speedup in message recovery game from [BRRS]. Key intui<on: Generalize message recovery no<on from [BRRS]. One hidden bit (membership in T), so 2x queries

Other considera<ons • If adversary only knows |T|, modified Zig-Zag can meet SPRP (see paper) • Variable <ming for some inputs + Timing side channel only leaks membership in T • Rank-encipher-unrank construc<on + Fast in worst case – High storage overhead, cache side channels

Summary Introduce backwards-compa<ble crypto We give generic algorithm (Zig-Zag) for backwards-compa<ble FPE Achieved domain comple,on and domain extension for FPE using the Zig-Zag algorithm. Our techniques are efficient, provably secure, and solve real problems for prac<<oners Thanks for listening! Any ques<ons?